PCI Pal has recently featured on the Computer Weekly magazine website.

With security threats growing in scale and complexitty, security analytics provide a wway for IT teams to stay one step ahead of cyber attackers. The challenge is to ensure this technology continues to be effective in the face of security challenges.

In today’s digital economy, one of the biggest threats facing businesses is cyber crime. Hackers are causing financial, reputational and organisational damage to organisations on an unprecedented scale.

According to new findings from Grant Thornton, cyber attacks have resulted in £30bn of combined losses for UK businesses over the past year. Meanwhile, a report by ForgeRock found that organisations on the other side of the Atlantic lost $654bn because of breaches in 2018.

Security breaches are not showing any signs of slowing down, either. Research from insurance giant Hiscox shows 60% of organisations have been affected by at least one attack this year, increasing from 45% in 2018. Hiscox describes three-quarters of firms as “novices” when it comes to mitigating cyber crime.

The big challenge for organisations and security teams is that cyber attacks are constantly growing in scale and complexity, making them increasingly difficult to track and mitigate. Cyber criminals are using a range of sophisticated techniques, such as social engineering, to increase their chances of successful attacks.

But as hackers continue to find new ways to launch attacks, pressure is increasing on businesses to improve their cyber security strategies. Many are doing this by using security analytics, which is the use of data to measure and detect potential breaches. The question is, how can organisations ensure this technology is effective and remains innovative in this area with the emergence of new threats?

Responding to new threats

Every day, IT teams face new security threats that could have devastating consequences if they are not detected and mitigated in time. However, this is becoming increasingly difficult for organisations because attackers continue to find new and more complex ways to bypass defence mechanisms.

Saj Huq, programme director of the London Office for Rapid Cyber Advancement (Lorca), says organisations are having to defend themselves from a multiplicity of attacks. “These include both the ‘spray and pray’ kind, where there can be collateral damage, as well as the sophisticated, highly targeted attempts by malicious actors to infiltrate a company’s defences and create security holes using cutting-edge methods,” he says.

“IT teams are under pressure to wade through a large volume of potential threats and, crucially, prioritise those that could do the most damage before taking appropriate action in time. But they are also extremely under-resourced, because of an ongoing shortage of expert talent, and so struggle to respond in time or protect complex technology stacks.”

Huq says these trends are now converging and creating a pressing need for a smarter, analytics-driven approach to cyber. “Some of the most innovate solutions coming to market combine AI[artificial intelligence], predictive analytics and machine learning to do increasingly complex threat identification and prioritisation, and sometimes automated incident response,” he says.

“This frees up IT teams to focus on turning those insights into actions and decisions. Technology is still not able to replace cyber teams, but as the cyber security skills shortage continues, it can at least do some of the heavy lifting.”

One threat, in particular, is increasing in frequency, highlighting the need for more robust cyber security measures – and that is sleeper attacks. In these scenarios, an attacker compromises a system, platform or environment, but waits weeks, months or even years before initiating the planned attack, according to Avi Raichel, CIO at IT resilience platform Zerto.

“Security analytics platforms, combined with machine intelligence, enable faster time to identify an attack, and requires less human involvement. Ultimately, this ensures mitigated risk and greater security in a landscape of increasingly sophisticated cyber threats.”

Raichel says the industry is also seeing a lot of convergence between IT resilience tools and security analytics. “Using analytics, you can identify the point of the attack, and therefore identify the best recovery point, which helps to minimise time to recovery,” he says.

“If we take this a step further, with journaling enhancements evolving in the IT resilience space, you can automatically protect yourself from cyber threats by creating a ‘data backup’ of a relevant point in time prior to the attack. The trick is in winding back to this point after the attack has been identified, creating a backup of the past, ultimately ensuring complete protection and easy recovery.”

The power of big data

Regardless of industry, all businesses face the challenge of dealing with growing datasets – and this is becoming an important consideration for technologists and security professionals. Haroon Malik, director of cyber security consulting at Fujitsu UK & Ireland, says the amount of data and information that security teams are handling today has exploded, and businesses need tools to make sense of all of this noise.

“With the threats constantly evolving and becoming more advanced, businesses have to defend themselves through greater commitment to data collection and security analytics tools,” he says. “Security analytics is the process of using data collection, aggregation and analysis tools for security monitoring and threat detection. By detecting and classifying threats and providing IT security analysts with actionable information, organisations are able to actively reduce risk.”

Malik says security analytics tools can be hugely effective because they aggregate data from many possible sources – such as operating systems, firewalls, routers and virus scanners – before correlating and analysing this information to figure out attack patterns, potential threats and possible methods of attack.

“The concept of security analytics is not necessarily new, but today’s security analytics tools have improved, and this new generation of security analytics plays a key role in analysing the massive amount of data collected from multiple security devices and sources to derive insights,” he says. “This analytics-driven approach holds greater relevance in the case of new attack models, including advanced persistent threats [APTs].

“Benefits of security analytics include: faster detection of threats through real-time visibility and enabling rapid response to future attacks, thus restricting the impact of a cyber attack; a better way to explore the root cause of cyber security incidents; deriving valuable security intelligence for IT to make better decisions; and better tracking and reduction of insider threats, fraud and data leakage.”Guy Bunker, CTO of IT security firm Clearswift, agrees that big data and new security threats are reinforcing the need for analytics. “There is no doubt that information and system security is becoming increasingly complex, even in the smallest of organisations,” he says. “The amount of data that is available is likewise increasing, and with cyber criminals and attacks becoming increasingly sophisticated, there is a need to be able to tie it all together – and this is where security analytics comes in.”However, Bunker says the challenge with all this data is how to spot the wood from the trees when it comes to developing some form of actionable intelligence. “Analytics is there to draw out the information from the data by correlating the different sources,” he says. “For example, a failed login, or an attempt at privilege escalation on one machine, could just be down to user error because we all have challenges typing our password from time to time.

“But if there are multiple attempts over the course of a few minutes, across multiple machines or at two o’clock in the morning, then warning flags should be raised. Even with all the analytics, there is often a challenge to remove the false positives to help the administrator to concentrate on potential incidents.”

This is where AI and machine learning technologies can help. “The real goal is for the overarching systems to become smarter based on what is being observed in the data,” says Bunker. “For example, if a system has 10 failed logins and then it is successful, there is potential that the system has been compromised.

“It could be automatically isolated on the network, removing access to any shared drives, collaboration servers or cloud access – until it has been thoroughly checked and given a clean bill of health, and maybe the password that was successful changed. It is this type of actionable intelligence that is where security analytics is heading – and it is needed to be able to keep up with the ever-changing world we live in.”

Developing a robust analytics strategy

In many ways, organisations are fighting a battle on several fronts when it comes to cyber security threats. But without implementing appropriate security protections, they risk falling victim to devastating attacks that could have been avoided.

“The current threat landscape highlights that threat actors diversify their tactics, techniques and procedures [TTPs] to ensure they can maximise their success and operate efficiently to ensure an ROI (return on investment),” says Neil Thacker, CISO of cloud firm Netskope. “This is evidenced as we see attacks continue to target websites, web applications and new attack surfaces, such as attacks against cloud services, targeting rich and large datasets.

“As organisations defend against these TTPs, the need for robust controls is clear. However, as threat actors continually learn how to circumnavigate these controls, the need for security analytics to both predict and defend against these attacks becomes an essential requirement.”

Thacker takes the view that the application of analytics to understand new patterns and statistics is key. At Netskope, he and his team use a sophisticated machine learning engine to identify and respond to potential attacks.

The machine learning engine analyses seven dimensions (time of day and day of the week, source location, destination location, device identity, cloud application, activity and object) and uses multiple algorithms to increase efficacy in areas such as noise resistance, multi-dimensionality and generality, robustness and ability to cope with missing data, adaptability and self-tuning, future-proofing and personalisation.

“Exploiting and maximising the data available is a routine exercise in our security programme that is designed to enable us to understand activities pre-attack and the true context surrounding activity during an attack,” says Thacker.

“Aligning analytics against threat models, such as Lockheed Martin’s cyber kill chain, is a fundamental in my security programme. Enhancing detection at each stage and applying cloud-based machine learning as a service [MLaaS] aids accuracy, validation and, with mature models, data and analytics, allows for automated responses to neutralise any attempts to circumnavigate security controls.”

Geoff Forsyth, CISO of payment solutions firm PCI Pal, is also using security analytics to keep his organisation one step ahead of cyber criminals. “The methods used by hackers are constantly evolving,” he says. “If it was as simple as closing a single loop to prevent breaches from occurring, this would have happened many years ago and the problem would be no more.

“Sadly, that is not the case, and instead, it has become an ongoing game of cat-and-mouse between hackers and organisations. As they evolve, we too evolve by using new applications, systems and analytics to mitigate such threats.”

Analytics to mitigate security threats

Forsyth says his team actively uses analytics to mitigate security threats. “Being a PCI DSS [payment card industry data security standard] Level 1 service provider, we must adhere to stringent regulatory requirements set out by the major credit card providers via the PCI Security Standards Council, which dictate how credit card information must be protected while being passed between cardholders and the merchant’s bank,” he says.

“We use Amazon Web Services’ cloud environment, which provides us with the solid security foundation we require. However, to close the data security loop, we needed additional security measures, such as an intrusion detection system and log management to guarantee the maximum defence of clients’ sensitive credit card data.”

PCI Pal also works with Alert Logic, using its security-as-a-service offering to provide 24/7 real-time security monitoring of IT environments. “This includes network intrusion detection, vulnerability management, and log management,” says Forsyth. “Fundamentally, it means our data is under real-time analysis at all times.

“Their systems are founded on AI and so intelligently analyse all of our data and processes to identify anomalies. This is backed up by a security operations centre, which has technicians in place who analyse data outputs. Having access to real-time analytics and support of this nature gives me complete peace of mind.”

As the connected ecosystem continues to expand and more businesses invest in technological assets, cyber threats are likely to keep growing.

Given the complexity of current and emerging hacking techniques, security analytics offer organisations and security teams a robust way to detect and respond to potential attacks quickly and effectively.